EXPLORE DETECTIONS

All Sources Sigma Splunk ESCU Elastic KQL Sublime CrowdStrike

3,252 detections found

Persistence Via New SIP Provider

Detects when an attacker register a new SIP provider for persistence and defense evasion

Persistence Via Sticky Key Backdoor

By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched.

T1546.008

Sigmacritical

Persistence Via Sudoers Files

Detects creation of sudoers file or files in "sudoers.d" directory which can be used a potential method to persiste privileges for a specific user.

T1053.003

Sigmamedium

Persistence Via TypedPaths - CommandLine

Detects modification addition to the 'TypedPaths' key in the user or admin registry via the commandline. Which might indicate persistence attempt

Sigmamedium

PetitPotam Suspicious Kerberos TGT Request

Detect suspicious Kerberos TGT requests. Once an attacer obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to the Domain Controller computer accounts.

T1187

Sigmahigh

PFX File Creation

Detects the creation of PFX files (Personal Information Exchange format). PFX files contain private keys and certificates bundled together, making them valuable targets for attackers seeking to: - Exfiltrate digital certificates for impersonation or signing malicious code - Establish persistent access through certificate-based authentication - Bypass security controls that rely on certificate validation Analysts should investigate PFX file creation events by examining which process created the PFX file and its parent process chain, as well as unusual locations outside standard certificate stores or development environments.

T1552.004

Sigmalow

Phishing Pattern ISO in Archive

Detects cases in which an ISO files is opend within an archiver like 7Zip or Winrar, which is a sign of phishing as threat actors put small ISO files in archives as email attachments to bypass certain filters and protective measures (mark of web)

T1566

Sigmahigh

Php Inline Command Execution

Detects execution of php using the "-r" flag. This is could be used as a way to launch a reverse shell or execute live php code.

T1059

Sigmamedium

PIM Alert Setting Changes To Disabled

Detects when PIM alerts are set to disabled.

T1078

Sigmahigh

PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

T1078.004

Sigmahigh

Ping Hex IP

Detects a ping command that uses a hex encoded IP address

T1140T1027

Sigmahigh

PktMon.EXE Execution

Detects execution of PktMon, a tool that captures network packets.

T1040

Sigmamedium

Pnscan Binary Data Transmission Activity

Detects command line patterns associated with the use of Pnscan for sending and receiving binary data across the network. This behavior has been identified in a Linux malware campaign targeting Docker, Apache Hadoop, Redis, and Confluence and was previously used by the threat actor known as TeamTNT

T1046

Sigmamedium